Privacy Policy
Last updated: June 14, 2026 · Effective: June 14, 2026
FlexOra ("FlexOra", "we", "us", or "our") operates the platform available at www.flex-ora.app. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our services, and describes the rights available to you under the GDPR (EU/UK), CCPA (California), and other applicable privacy laws.
1. Data Controller
The data controller responsible for your personal data is:
FlexOraEmail: privacy@flex-ora.app
Website: www.flex-ora.app
For GDPR purposes, FlexOra acts as a data controller for data relating to our registered users (business owners and staff). For personal data of end-customers entered into FlexOra by our business users, FlexOra acts as a data processor on behalf of the business.
2. Personal Data We Collect
Account & Registration Data
- Name, email address, and password (hashed)
- Business name, type, location, phone number
- Billing information (processed by Stripe — we do not store card numbers)
- Profile image (optional)
Usage & Platform Data
- Log data: IP address, browser type, pages visited, timestamps
- Feature usage metrics (which modules you use, frequency)
- Error reports and performance data
- Session identifiers (HttpOnly cookies)
Customer Data You Enter
When you use FlexOra to manage your business, you may enter personal data about your own customers (names, emails, phone numbers, appointment history, payment records). You are the data controller for this data; FlexOra processes it on your behalf as a processor.
AI Interaction Data
Queries you send to FlexOra's AI features are processed by Anthropic (Claude API). We mask Personally Identifiable Information before sending data to the AI. See Section 5 for details.
3. Legal Basis for Processing (GDPR)
We process personal data under the following legal bases (Article 6 GDPR):
| Purpose | Legal Basis |
|---|---|
| Providing the FlexOra service | Contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Contract (Art. 6(1)(b)) |
| Sending transactional emails (receipts, password resets, appointment confirmations) | Contract (Art. 6(1)(b)) |
| Complying with legal obligations (tax, fraud prevention) | Legal obligation (Art. 6(1)(c)) |
| Sending marketing & daily briefing emails | Consent (Art. 6(1)(a)) — withdraw anytime |
| Analytics and product improvement | Legitimate interests (Art. 6(1)(f)) |
| Security monitoring and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
4. How We Use Your Data
- To create and maintain your FlexOra account
- To process payments and manage subscriptions via Stripe
- To provide CRM, scheduling, invoicing, automation, and AI features
- To send transactional emails: booking confirmations, invoices, password resets
- To send service communications: subscription updates, payment alerts
- To send marketing communications (daily briefings, product updates) — only with your consent, and you may opt out at any time via the unsubscribe link in any email or in Dashboard → Settings → Security → Privacy & Consent
- To monitor and improve platform reliability, security, and performance
- To comply with applicable laws and regulations
6. Data Retention
- Account data: retained for the duration of your subscription plus 90 days after account deletion (to allow recovery), then permanently deleted.
- Financial records (invoices, payment logs): retained for 7 years as required by tax law.
- Audit logs: retained for 12 months.
- Email logs: retained for 90 days.
- Customer data you enter (clients, appointments): deleted promptly upon account deletion or upon your explicit request.
- Anonymized analytics: may be retained indefinitely (not linked to individuals).
You may request deletion of your account and all associated data at any time via Dashboard → Settings → Security → Delete Account. We will process your request within 30 days (GDPR Art. 17).
7. Security
- All data is encrypted in transit via TLS 1.2+
- Passwords are hashed using bcrypt (never stored in plain text)
- Authentication uses HttpOnly, Secure, SameSite cookies
- Stripe handles all payment card data (we are PCI-DSS compliant by delegation)
- AI prompts are sanitized to remove PII before transmission to Anthropic
- Access to production databases is restricted to authorized personnel only
- Rate limiting and abuse detection on all public endpoints
In the event of a personal data breach, we will notify affected users and relevant supervisory authorities as required by GDPR Art. 33-34 (within 72 hours where feasible).
8. International Data Transfers
FlexOra may transfer personal data to countries outside the European Economic Area (EEA) or UK, including to the United States where our cloud infrastructure and some processors (Stripe, Anthropic, Resend) operate. These transfers are safeguarded by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework participation (where applicable)
- Processor-specific adequacy decisions
You may request a copy of the relevant safeguards by contacting us at privacy@flex-ora.app.
9. Your Rights
Under GDPR (EU/UK), you have the following rights. Requests will be fulfilled within 30 days:
- Right of Access (Art. 15) — request a copy of all personal data we hold about you. Use Dashboard → Settings → Security → Export My Data for an instant JSON export.
- Right to Rectification (Art. 16) — correct inaccurate personal data via your account settings.
- Right to Erasure / "Right to be Forgotten" (Art. 17) — delete your account and all personal data. Use Dashboard → Settings → Security → Delete Account.
- Right to Restrict Processing (Art. 18) — request we pause processing in certain circumstances.
- Right to Data Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON export available instantly).
- Right to Object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent (Art. 7(3)) — withdraw marketing consent at any time via Dashboard → Settings → Security → Privacy & Consent, or by clicking Unsubscribe in any marketing email.
- Right to Lodge a Complaint — you may file a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France, or the relevant EU DPA).
To exercise any right, contact us at privacy@flex-ora.app. We may verify your identity before processing requests.
10. California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:
- Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete — request deletion of personal information we have collected, subject to certain exceptions.
- Right to Opt-Out of Sale or Sharing — FlexOra does not sell or share your personal information for cross-context behavioral advertising.
- Right to Correct — request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes beyond providing our services.
- Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, email privacy@flex-ora.app with "CCPA Request" in the subject line. We respond within 45 days. We do not respond to Do Not Track signals from browsers.
12. Children's Privacy
FlexOra is intended for use by business owners and their staff and is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@flex-ora.app and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and by posting a notice on the platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Continued use of FlexOra after the effective date constitutes acceptance of the updated policy.
14. Contact & Data Protection Officer
For any privacy-related questions, requests, or complaints:
Privacy Team — FlexOraEmail: privacy@flex-ora.app
Response time: within 5 business days (GDPR requests: within 30 days)
You also have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.